EP4175217A1 - Signatursteuerungsverfahren, signatursteuerungsprogramm und informationsverarbeitungsvorrichtung - Google Patents

Signatursteuerungsverfahren, signatursteuerungsprogramm und informationsverarbeitungsvorrichtung Download PDF

Info

Publication number
EP4175217A1
EP4175217A1 EP20943095.8A EP20943095A EP4175217A1 EP 4175217 A1 EP4175217 A1 EP 4175217A1 EP 20943095 A EP20943095 A EP 20943095A EP 4175217 A1 EP4175217 A1 EP 4175217A1
Authority
EP
European Patent Office
Prior art keywords
information
signature
document
aggregate
pieces
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP20943095.8A
Other languages
English (en)
French (fr)
Other versions
EP4175217A4 (de
Inventor
Rikuhiro Kojima
Dai Yamamoto
Koichi Yasaki
Jumpei Yamaguchi
Toshiya Shimizu
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujitsu Ltd
Original Assignee
Fujitsu Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujitsu Ltd filed Critical Fujitsu Ltd
Publication of EP4175217A1 publication Critical patent/EP4175217A1/de
Publication of EP4175217A4 publication Critical patent/EP4175217A4/de
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes

Definitions

  • the present invention relates to a signature control method, a signature control program, and an information processing device.
  • electronic signature information may be added to the document information. Furthermore, there is a technique called an aggregate signature that aggregates a plurality of pieces of signature information added to a plurality of pieces of document information that are different from each other into a single piece of signature information using a plurality of private keys.
  • the existing technique has a problem of increasing a cost involved in verifying validity of signature information.
  • a plurality of public keys corresponding to the plurality of private keys is managed in order to verify the validity of the generated single piece of signature information. Therefore, as the number of public keys increases, the processing cost for verifying the validity of signature information and the management cost for managing the public keys increase.
  • an object of the present invention is to reduce the cost incurred when verifying the validity of signature information.
  • a signature control method including acquiring a plurality of pieces of document information and signature information corresponding to each piece of document information of the plurality of pieces of document information; generating aggregate signature information obtained by aggregating the signature information corresponding to the each piece of document information of the plurality of acquired pieces of document information on the basis of the plurality of acquired pieces of document information; and outputting the generated aggregate signature information in association with aggregate public key information obtained by aggregating public key information corresponding to the each piece of document information of the plurality of pieces of document information and the plurality of pieces of document information.
  • FIG. 1 is an explanatory diagram illustrating an example of a signature control method according to an embodiment.
  • An information processing device 100 is a computer for generating signature information to be added to document information.
  • the information processing device 100 is a server, a personal computer (PC), or the like.
  • the signature information is used to prevent falsification of document information, or to certify, confirm, approve content of the document information, or express an intention such as consent to content of the document information.
  • the signature information representing a corporation is added to a final version of the document information created by the corporation and to be released outside the corporation, and is then released outside the corporation.
  • a verifier outside the corporation verifies the signature information representing the corporation added to the final version of the document information, and attempts to confirm whether the final version of the document information has not been falsified and is valid.
  • signature information called e-Seal tends to be used as the signature information representing a corporation.
  • a use case is conceivable in which a plurality of approvers adds personal signature information to the document information while revising the document information, and a server adds signature information representing the corporation to the final version of the document information after the document information becomes the final version, according to an approval flow within the corporation.
  • the server adds the signature information representing the corporation to the document information only in a case where all pieces of the signature information added to the document information by the respective approvers before the document information becomes the final version are valid.
  • the signature information representing the corporation may be mistakenly added to invalid document information.
  • the invalid document information is, for example, document information created by an attacker against the corporation, document information that has been falsified, or document information that violates the approval flow and has not been approved by at least one of the approvers.
  • the signature information representing the corporation is added to the invalid document information as a result of cracking the server that adds the signature information representing the corporation to the final version of the document information.
  • the verifier outside the corporation will mistakenly determine that the invalid document information is valid document information on the basis of the signature information representing the corporation.
  • the verifier outside the corporation cannot verify the process of a plurality of approvers approving the document information and adding the personal signature information to the document information according to the approval flow, and it is difficult to verify whether the document information is valid.
  • Non-Patent Document 1 Akira Nishiyama, "Use Cases and Issues of e-Seal in Japan", [online], March 19, 2019, Japan Trust Service Forum, [searched on June 26, 2020], Internet ⁇ URL: https://www.soumu.go.jp/main_content/000607659.pdf>
  • the aggregate signature is a technique of aggregating a plurality of pieces of signature information added to a plurality of pieces of document information that are different from each other into a single piece of signature information using a plurality of pieces of private key information, for example.
  • aggregate signature implementation methods include, for example, a BLS signature-based implementation method, a lattice cryptography-based implementation method, and the like.
  • the plurality of pieces of public key information corresponding to the plurality of pieces of private key information is registered in a public storage device in a referable manner by the verifier outside the corporation.
  • the number of approvers increases, the number of pieces of public key information registered in the storage device also increases. For this reason, an increase in management cost when managing the public key information is incurred. Furthermore, an increase in processing cost when verifying the single piece of signature information is incurred.
  • a signature control method capable of reducing the management cost and processing cost incurred when verifying validity of the signature information by reducing the number of pieces of public key information to be used when verifying the validity of the signature information will be described.
  • the information processing device 100 has a signature aggregation algorithm.
  • the signature aggregation algorithm defines a method of generating one piece of aggregate signature information obtained by aggregating a plurality of pieces of signature information.
  • the information processing device 100 has a key aggregation algorithm.
  • the key aggregation algorithm defines a method of generating one piece of aggregate public key information obtained by aggregating a plurality of pieces of public key information.
  • the information processing device 100 outputs the generated aggregate signature information 110 and the generated aggregate public key information 121 in association with the documents 1 to 3. Specifically, the information processing device 100 outputs the generated aggregate signature information 110 and the generated aggregate public key information 121 in association with the documents 1 to 3 in a referable manner by another computer.
  • the another computer is, for example, a computer corresponding to a verifier.
  • the information processing device 100 can reduce the number of pieces of public key information referred to by the computer corresponding to the verifier, and reduce the management cost incurred when managing the public key information and the processing cost incurred when using the public key information. Furthermore, the information processing device 100 enables the verifier to verify the process of generating the plurality of pieces of signature information, which are aggregation sources of the aggregate signature information, on the basis of the aggregate signature information. Therefore, the information processing device 100 can prevent a situation in which the verifier mistakenly determines that the invalid document information is valid document information.
  • the another computer has a one-key verification algorithm.
  • the another computer receives the aggregate signature information and the aggregate public key information associated with the plurality of pieces of document information.
  • the another computer verifies validity of the received aggregate signature information on the basis of the plurality of pieces of document information, the received aggregate signature information, and the received aggregate public key information.
  • the another computer acquires, for example, a hash value corresponding to each document information of the plurality of pieces of document information. Then, the another computer verifies validity of the received aggregate signature information on the basis of the acquired hash values, the received aggregate signature information, and the received aggregate public key information, according to the one-key verification algorithm.
  • the another computer can verify the process of generating the plurality of pieces of signature information, which are aggregation sources of the aggregate signature information, on the basis of the aggregate signature information. Therefore, the another computer can avoid the situation of mistakenly determining that the invalid document information is valid document information.
  • the information processing device 100 generates the aggregate public key information obtained by aggregating the public key information corresponding to each piece of document information, but the present embodiment is not limited to this case.
  • the generation device apart from the information processing device 100, there may be a case of a generation device that generates the aggregate public key information obtained by aggregating the public key information corresponding to each piece of document information.
  • the generation device provides the verifier with the aggregate public key information.
  • the information processing device 100 provides the verifier with the generated aggregate signature information such that correspondence of the aggregate public key information with the generated aggregate signature information is specifiable.
  • FIG. 2 is an explanatory diagram illustrating an example of the signature control system 200.
  • the signature control system 200 includes a signature-side terminal 201 corresponding to an author, a signature-side terminal 202 corresponding to an approver, a signature-side terminal 203 corresponding to an authorizer, a private CA server 204, a document management server 205.
  • the signature control system 200 includes a public CA server 206 and a verification-side terminal 207 corresponding to the verifier.
  • each of the signature-side terminals 201 to 203 and the private CA server 204 are connected to each other via a wired or wireless network 210.
  • the network 210 is, for example, a local area network (LAN), a wide area network (WAN), or the Internet.
  • each of the signature-side terminals 201 to 203 and the document management server 205 are connected to each other via the wired or wireless network 210.
  • the private CA server 204 and the public CA server 206 are connected to each other via the wired or wireless network 210.
  • the document management server 205 and the verification-side terminal 207 are connected to each other via the wired or wireless network 210. Furthermore, in the signature control system 200, the public CA server 206 and the verification-side terminal 207 are connected to each other via the wired or wireless network 210.
  • the signature-side terminal 201 is a computer used by the author who creates document information.
  • the signature-side terminal 201 generates new document information on the basis of an operational input of the author.
  • the signature-side terminal 201 generates a key information pair of private key information and public key information.
  • the signature-side terminal 201 generates signature information to be added to the generated new document information on the basis of the private key information of the generated key information pair.
  • the signature-side terminal 201 associates the generated new document information with the generated signature information and transmits the information to the document management server 205.
  • the signature-side terminal 201 transmits the public key information of the generated key information pair to the private CA server 204.
  • the signature-side terminal 201 is, for example, a server, a PC, a tablet terminal, or a smartphone.
  • the signature-side terminal 202 is a computer used by the approver who approves document information.
  • the signature-side terminal 202 acquires the document information to which the signature information is added from the document management server 205 on the basis of an operation input of the approver.
  • the signature-side terminal 202 revises the acquired document information and generates new document information on the basis of the operation input of the approver.
  • the signature-side terminal 202 generates a key information pair of private key information and public key information.
  • the signature-side terminal 202 generates signature information to be added to the generated new document information on the basis of the private key information of the generated key information pair.
  • the signature-side terminal 202 associates the generated new document information with the generated signature information and transmits the information to the document management server 205.
  • the signature-side terminal 202 transmits the public key information of the generated key information pair to the private CA server 204.
  • the signature-side terminal 202 is, for example, a server, a PC, a tablet terminal, or a smartphone.
  • the signature-side terminal 203 is a computer used by the authorizer who authorizes document information.
  • the signature-side terminal 203 acquires the document information to which the signature information is added from the document management server 205 on the basis of an operation input of the authorizer.
  • the signature-side terminal 203 revises the acquired document information and generates new document information on the basis of the operation input of the authorizer.
  • the signature-side terminal 203 generates a key information pair of private key information and public key information.
  • the signature-side terminal 203 generates signature information to be added to the generated new document information on the basis of the private key information of the generated key information pair.
  • the signature-side terminal 203 associates the generated new document information with the generated signature information and transmits the information to the document management server 205.
  • the signature-side terminal 203 transmits the public key information of the generated key information pair to the private CA server 204.
  • the signature-side terminal 203 is, for example, a server, a PC, a tablet terminal, or a smartphone.
  • the private CA server 204 is a computer that manages the public key information.
  • the private CA server 204 has a function as the information processing device 100 illustrated in FIG. 1 .
  • the private CA server 204 generates aggregate public key information obtained by aggregating a plurality of pieces of public key information.
  • the private CA server 204 transmits the generated aggregate public key information to the public CA server 206.
  • the private CA server 204 is, for example, a server, a PC, or the like.
  • the document management server 205 is a computer that manages signature information associated with document information.
  • the document management server 205 has functions as the information processing device 100 illustrated in FIG. 1 .
  • the document management server 205 generates aggregate signature information obtained by aggregating a plurality of pieces of signature information.
  • the document management server 205 stores the generated aggregate signature information in a control information management table 400 to be described below in FIG. 4 .
  • the document management server 205 transmits the generated aggregate signature information to the verification-side terminal 207.
  • the document management server 205 is, for example, a server, a PC, or the like.
  • the public CA server 206 is a computer that manages the aggregate public key information.
  • the public CA server 206 receives the aggregate public key information from the private CA server 204.
  • the public CA server 206 transmits the received aggregate public key information to the verification-side terminal 207.
  • the public CA server 206 is, for example, a server, a PC, or the like.
  • the verification-side terminal 207 is a computer used by the verifier.
  • the verification-side terminal 207 receives the aggregate signature information from the document management server 205.
  • the verification-side terminal 207 receives the aggregate public key information from the public CA server 206.
  • the verification-side terminal 207 verifies whether the received aggregate signature information is valid or not on the basis of the received aggregate public key information.
  • the verification-side terminal 207 is, for example, a server, a PC, or the like.
  • the signature control system 200 includes one signature-side terminal 202 corresponding to the approver has been described, but the present embodiment is not limited to the case.
  • the signature control system 200 includes a plurality of signature-side terminals 202 corresponding to approvers.
  • the private CA server 204 and the document management server 205 are different devices has been described, but the present embodiment is not limited to the case.
  • the private CA server 204 and the document management server 205 are integrated.
  • FIG. 3 is a block diagram illustrating a hardware configuration example of the information processing device 100.
  • the information processing device 100 includes a central processing unit (CPU) 301, a memory 302, a network interface (I/F) 303, a recording medium I/F 304, and a recording medium 305. Furthermore, the individual configuration units are connected to each other by a bus 300.
  • the CPU 301 is responsible for overall control of the information processing device 100.
  • the memory 302 includes, for example, a read only memory (ROM), a random access memory (RAM), a flash ROM, and the like.
  • the flash ROM or the ROM stores various programs, and the RAM is used as a work area for the CPU 301.
  • the programs stored in the memory 302 are loaded into the CPU 301 to cause the CPU 301 to execute coded processing.
  • the network I/F 303 is connected to the network 210 through a communication line, and is connected to another computer via the network 210. Then, the network I/F 303 manages an interface between the network 210 and the inside, and controls input and output of data from another computer.
  • the network I/F 303 is, for example, a modem or a LAN adapter.
  • the recording medium I/F 304 controls reading and writing of data from and to the recording medium 305 under the control of the CPU 301.
  • the recording medium I/F 304 is, for example, a disk drive, a solid state drive (SSD), a universal serial bus (USB) port or the like.
  • the recording medium 305 is a nonvolatile memory that stores data written under the control of the recording medium I/F 304.
  • the recording medium 305 is a disk, a semiconductor memory, a USB memory, or the like.
  • the recording medium 305 may be attachable to and detachable from the information processing device 100.
  • the information processing device 100 may include, for example, a keyboard, a mouse, a display, a printer, a scanner, a microphone, or a speaker, in addition to the above-described configuration units. Furthermore, the information processing device 100 may include a plurality of the recording medium I/Fs 304 and recording media 305. Furthermore, the information processing device 100 does not have to include the recording medium I/F 304 or the recording medium 305.
  • the control information management table 400 is implemented by a storage area such as the memory 302 or the recording medium 305 of the information processing device 100 illustrated in FIG. 3 , for example.
  • FIG. 4 is an explanatory diagram illustrating an example of content stored in the control information management table 400.
  • the control information management table 400 has fields for signer, document information, signature target, private key, public key, and signature information.
  • the control information management table 400 stores control information as a record 400-a by setting information in each field for each signer.
  • the letter a is an arbitrary integer.
  • Identification information for identifying the signer who adds the signature information to the document information is set in the signer field.
  • the signer includes, for example, a corporation.
  • the document information to which the signature information is added is set in the document information field.
  • the document information may include approval flow information indicating a person responsible for the document or the authorizer.
  • the person responsible for the document is, for example, the author or the approver.
  • the approval flow information makes it possible to specify that the validity of the aggregate signature information added to the document information is verifiable on the basis of the aggregate public key information obtained by aggregating which public key information.
  • a hash value corresponding to the document information is set in the signature target field.
  • the private key information used when generating the signature information is set in the private key field.
  • the public key information corresponding to the private key information is set in the public key field.
  • the signature information added to the document information is set in the signature information field.
  • FIG. 5 is a block diagram illustrating a hardware configuration example of the verification-side terminal 207.
  • the verification-side terminal 207 includes a CPU 501, a memory 502, a network I/F 503, a recording medium I/F 504, and a recording medium 505. Furthermore, the configuration units are connected to each other via a bus 500.
  • the CPU 501 performs overall control of the verification-side terminal 207.
  • the memory 502 includes, for example, a ROM, a RAM, a flash ROM, or the like. Specifically, for example, the flash ROM or the ROM stores various programs, while the RAM is used as a work area for the CPU 501. The programs stored in the memory 502 are loaded into the CPU 501 to cause the CPU 501 to execute coded processing.
  • the network I/F 503 is connected to the network 210 through a communication line, and is connected to another computer through the network 210. Then, the network I/F 503 manages an interface between the network 210 and the inside, and controls input and output of data to and from the another computer.
  • the network I/F 503 is, for example, a modem, a LAN adapter, or the like.
  • the recording medium I/F 504 controls reading and writing of data from and to the recording medium 505 under the control of the CPU 501.
  • the recording medium I/F 504 is, for example, a disk drive, an SSD, a USB port, or the like.
  • the recording medium 505 is a nonvolatile memory that stores data written under the control of the recording medium I/F 504.
  • the recording medium 505 is, for example, a disk, a semiconductor memory, a USB memory, or the like.
  • the recording medium 505 may be attachable to and detachable from the verification-side terminal 207.
  • the verification-side terminal 207 may include, for example, a keyboard, a mouse, a display, a printer, a scanner, a microphone, or a speaker, in addition to the configuration units described above. Furthermore, the verification-side terminal 207 may include a plurality of the recording medium I/Fs 504 or a plurality of the recording media 505. Furthermore, the verification-side terminal 207 does not have to include the recording medium I/F 504 and the recording medium 505.
  • FIG. 6 is a block diagram illustrating a functional configuration example of the signature control system 200.
  • the information processing device 100 includes a first storage unit 600, a first acquisition unit 601, a first generation unit 602, a revision unit 603, an analysis unit 604, a second generation unit 605, and a first output unit 606.
  • the first storage unit 600 is implemented by a storage area of the memory 302, the recording medium 305, or the like illustrated in FIG. 3 , for example.
  • the first storage unit 600 may be included in a device different from the information processing device 100, and content stored in the first storage unit 600 may be able to be referred to by the information processing device 100.
  • the first acquisition unit 601 to the first output unit 606 function as an example of a control unit of the information processing device 100. Specifically, for example, the first acquisition unit 601 to the first output unit 606 implement functions thereof by causing the CPU 301 to execute a program stored in the storage area such as the memory 302, the recording medium 305, or the like or by the network I/F 303 illustrated in FIG. 3 . A processing result of each functional unit is stored in, for example, a storage area such as the memory 302 or the recording medium 305 illustrated in FIG. 3 .
  • the first storage unit 600 stores various types of information to be referred to or updated in the processing of each functional unit.
  • the first storage unit 600 stores a plurality of pieces of document information.
  • the document information is, for example, document information such as a contract or a source code that is revised by a plurality of people.
  • the plurality of pieces of document information includes, for example, pieces of document information indicating respective versions of a plurality of versions of a first document.
  • the first storage unit 600 stores a key pair for each signer.
  • the key pair includes the private key information and the public key information.
  • the signer includes, for example, a corporation.
  • the first storage unit 600 stores the key pair for each predetermined signer according to a predetermined approval flow.
  • the public key information of the key pair stored in the first storage unit 600 may include public key information that does not correspond to any document information stored in the first storage unit 600.
  • the first storage unit 600 stores the signature information added to the document information in association with the document information.
  • the first storage unit 600 stores the document information, the public key information, and the signature information in association with each other, for example, for each predetermined signer.
  • the first storage unit 600 stores the control information management table 400 illustrated in FIG. 4 .
  • the first acquisition unit 601 acquires various types of information to be used for the processing of each functional unit.
  • the first acquisition unit 601 stores the acquired various types of information in the first storage unit 600 or outputs the acquired various types of information to each functional unit. Furthermore, the first acquisition unit 601 may output the various types of information stored in the first storage unit 600 to each functional unit.
  • the first acquisition unit 601 acquires the various types of information on the basis of, for example, an operation input from the user.
  • the first acquisition unit 601 may receive the various types of information from a device different from the information processing device 100, for example.
  • the first acquisition unit 601 acquires a plurality of pieces of document information and signature information corresponding to each piece of document information of the plurality of pieces of document information.
  • the first acquisition unit 601 collects, for example, the document information and the signature information corresponding to the document information from each of the signature-side terminals 201 to 203, thereby obtaining the plurality of pieces of document information and the signature information corresponding to each piece of document information of the plurality of pieces of document information.
  • the first acquisition unit 601 may acquire the plurality of pieces of document information and the signature information corresponding to each piece of document information of the plurality of pieces of document information on the basis of an operation input from the user.
  • the first acquisition unit 601 may receive a start trigger to start processing of any one of the functional units.
  • the start trigger is, for example, predetermined operation input made by the user.
  • the start trigger may be, for example, reception of predetermined information from another computer.
  • the start trigger may be, for example, output of predetermined information by any one of the functional units.
  • the first acquisition unit 601 may receive, for example, acquisition of the plurality of pieces of document information and the signature information corresponding to each piece of document information of the plurality of pieces of document information, as the start trigger for starting the processing of the first generation unit 602 to the second generation unit 605.
  • the first generation unit 602 generates aggregate signature information obtained by aggregating the signature information corresponding to each piece of document information of the plurality of acquired pieces of document information on the basis of the plurality of acquired pieces of document information.
  • the first generation unit 602 generates the aggregate signature information on the basis of the hash value corresponding to each piece of document information of the plurality of acquired pieces of document information.
  • the first generation unit 602 uses, for example, a Schnorr signature algorithm.
  • the validity of the aggregate signature information generated by the first generation unit 602 is verifiable on the basis of the plurality of acquired pieces of document information, the aggregate signature information generated by the first generation unit 602, and the aggregate public key information generated by the second generation unit 605. Therefore, the first generation unit 602 can obtain the aggregate signature information that enables the verifier to verify the validity of the document information.
  • the first generation unit 602 generates the aggregate signature information on the basis of a safe prime and the hash value corresponding to each piece of document information of the plurality of acquired pieces of document information.
  • the first generation unit 602 sets parameters on the basis of, for example, the safe prime and the hash value corresponding to each piece of document information of the plurality of acquired pieces of document information. Then, the first generation unit 602 generates the aggregate signature information on the basis of the set parameters. Therefore, the first generation unit 602 can reduce a processing amount incurred when generating the aggregate signature information.
  • the first generation unit 602 generates a check hash value on the basis of a hash chain formed from a seed and the hash value corresponding to each version of the first document. Therefore, the first generation unit 602 can obtain the check hash value that enables the verifier to verify the validity of the document information with higher accuracy.
  • the second generation unit 605 generates the aggregate public key information obtained by aggregating the public key information corresponding to each piece of document information of the plurality of acquired pieces of document information on the basis of the public key information corresponding to the each piece of document information.
  • the public key information corresponding to the document information is public key information corresponding to the private key information used when generating the signature information corresponding to the document information. Therefore, the second generation unit 605 can reduce the number of pieces of public key information used when verifying the validity of the aggregate signature information on the verifier side, and can reduce the cost incurred when verifying the validity of the aggregate signature information.
  • the second generation unit 605 generates aggregate public key information obtained by aggregating the public key information corresponding to each piece of document information of the plurality of acquired pieces of document information, and public key information not corresponding to any document information of the plurality of acquired pieces of document information. For example, even if the first storage unit 600 stores the public key information not corresponding to any document information, the second generation unit 605 generates the aggregate public key information obtained by aggregating the public key information stored in the first storage unit 600. Therefore, the second generation unit 605 can obtain the aggregate public key information according to a predetermined approval flow.
  • the revision unit 603 generates revised signature information obtained by revising the generated aggregate signature information on the basis of the public key information not corresponding to any document information. Therefore, the revision unit 603 can obtain the revised signature information verifiable on the basis of the aggregate public key information even if the signature information based on any private key information has not been generated contrary to the predetermined approval flow.
  • the analysis unit 604 specifies which piece of signature information of the plurality of pieces of signature information, which are aggregation sources, is not valid.
  • the analysis unit 604 verifies, for example, whether each piece of signature information of the plurality of pieces of signature information, which are aggregation sources, is valid or not.
  • the analysis unit 604 acquires two pieces of aggregate signature information: aggregate signature information obtained by aggregating some pieces of signature information; and aggregate signature information obtained by aggregating pieces of signature information other than the some pieces of signature information, among the pieces of signature information that are aggregation sources of the aggregate signature information. Then, the analysis unit 604 verifies the validity of each of the acquired two pieces of aggregate signature information. Therefore, the analysis unit 604 can specify which piece of signature information of the plurality of pieces of signature information, which are aggregation sources, is not valid, which allows the verifier to know which is not valid.
  • the analysis unit 604 newly acquires two pieces of aggregate signature information: aggregate signature information obtained by aggregating some pieces of signature information; and aggregate signature information obtained by aggregating pieces of signature information other than the some pieces of signature information, among the pieces of signature information, which are aggregation sources of any aggregate signature information determined not to be valid. Then, the analysis unit 604 verifies the validity of each of the newly acquired two pieces of aggregate signature information. Therefore, the analysis unit 604 can specify which piece of signature information of the plurality of pieces of signature information, which are aggregation sources, is not valid, which allows the verifier to know which is not valid.
  • the first output unit 606 outputs a processing result of at least any one of the functional units.
  • An output format is, for example, display on a display, print output to a printer, transmission to an external device by the network I/F 303, or storage in a storage area such as the memory 302 or the recording medium 305. Therefore, the first output unit 606 can notify the user of the processing result of at least one of the functional units.
  • the first output unit 606 outputs the generated aggregate signature information.
  • the first output unit 606 outputs, to the verifier, the generated aggregate signature information together with information that indicates the approval flow, for example, and enables specification of the aggregate public key information in association with the plurality of pieces of document information. Therefore, the first output unit 606 enables the verifier to verify the validity of the document information.
  • the first output unit 606 outputs the generated aggregate public key information.
  • the first output unit 606 outputs, for example, the generated aggregate public key information to the verifier.
  • the first output unit 606 registers the generated aggregate public key information in the public CA server 206 in a referable manner by the verifier. Therefore, the first output unit 606 enables the verifier to verify the validity of the document information.
  • the first output unit 606 outputs the generated aggregate signature information in association with the generated aggregate public key information and the plurality of pieces of document information.
  • the first output unit 606 outputs, for example, the generated aggregate signature information in association with the generated aggregate public key information and the plurality of acquired pieces of document information to the verifier for the plurality of acquired pieces of document information.
  • the aggregate signature information is associated with the plurality of pieces of document information by, for example, being associated with the final version of the document information of the plurality of pieces of document information and the hash values corresponding to the pieces of document information other than the final version.
  • the aggregate signature information is associated with the aggregate public key information by, for example, information for identifying the person responsible for the document and the authorizer included in the final version of the document information associated with the aggregate signature information. Therefore, the first output unit 606 enables the verifier to verify the validity of the document information.
  • the first output unit 606 outputs a result of verifying the validity of each of the acquired two pieces of aggregate signature information.
  • the first output unit 606 outputs, for example, the result of verifying the validity of each of the acquired two pieces of aggregate signature information in a referable manner by the user. Therefore, the first output unit 606 enables the user to grasp which signature information is not valid and which approver's approval action is problematic.
  • the first output unit 606 outputs the generated revised signature information.
  • the first output unit 606 outputs, to the verifier, the generated revised signature information together with information that indicates the approval flow, for example, and enables specification of the aggregate public key information in association with the plurality of pieces of document information. Therefore, the first output unit 606 enables the verifier to verify the validity of the document information.
  • the first output unit 606 outputs the generated revised signature information in association with the generated aggregate public key information and the plurality of pieces of document information.
  • the first output unit 606 outputs, for example, the generated revised signature information in association with the generated aggregate public key information and the plurality of pieces of document information to the verifier. Therefore, the revision unit 603 enables the verifier to verify the validity of the document information even if the signature information based on any private key information has not been generated contrary to the predetermined approval flow.
  • the first output unit 606 outputs, for example, the check hash value in association with the aggregate signature information. Therefore, the first output unit 606 enables the verifier to verify the validity of the document information with more accuracy.
  • the verification-side terminal 207 includes a second storage unit 610, a second acquisition unit 611, a verification unit 612, and a second output unit 613.
  • the second storage unit 610 is implemented by a storage area of the memory 502, the recording medium 505, or the like illustrated in FIG. 5 , for example.
  • the second storage unit 610 may be included in a device different from the verification-side terminal 207, and the content stored in the second storage unit 610 may be able to be referred to from the verification-side terminal 207.
  • the second acquisition unit 611 to the second output unit 613 function as an example of a control unit of the verification-side terminal 207.
  • the second acquisition unit 611 to the second output unit 613 implement functions thereof by causing the CPU 501 to execute a program stored in the storage area such as the memory 502, the recording medium 505, or the like or by the network I/F 503 illustrated in FIG. 5 .
  • a processing result of each function unit is stored in, for example, the storage area such as the memory 502 or the recording medium 505 illustrated in FIG. 5 .
  • the second storage unit 610 stores various types of information to be referred to or updated in the processing of each functional unit.
  • the second storage unit 610 stores the aggregate signature information obtained by aggregating the signature information corresponding to each piece of document information of the plurality of pieces of document information, and the aggregate public key information obtained by aggregating the public key information corresponding to each piece of document information of the plurality of pieces of document information, associated with the plurality of pieces of document information.
  • the second storage unit 610 stores the aggregate signature information and the aggregate public key information associated with a combination of the final version of the document information of the plurality of pieces of document information, and the hash value corresponding to the document information other than the final version of the plurality of pieces of document information, for example.
  • the second acquisition unit 611 acquires various types of information to be used for the processing of each functional unit.
  • the second acquisition unit 611 stores the acquired various types of information in the storage unit, or outputs the acquired various types of information to each functional unit. Furthermore, the second acquisition unit 611 may output the various types of information stored in the storage unit to each functional unit.
  • the second acquisition unit 611 acquires the various types of information on the basis of, for example, an operation input from the user.
  • the second acquisition unit 611 may receive the various types of information from, for example, a device different from the verification-side terminal 207.
  • the second acquisition unit 611 acquires the aggregate signature information and the aggregate public key information associated with the plurality of pieces of document information.
  • the second acquisition unit 611 acquires the aggregate signature information associated with the plurality of pieces of document information from, for example, a device that generates the aggregate signature information.
  • the second acquisition unit 611 acquires the aggregate public key information associated with the plurality of pieces of document information from, for example, a device that generates the aggregate public key information.
  • the second storage unit 610 acquires, by receiving from the information processing device 100, the aggregate signature information and the aggregate public key information associated with the combination of the final version of the document information and the hash value corresponding to the document information other than the final version, for example.
  • the second storage unit 610 may receive the aggregate signature information and the aggregate public key information associated with the plurality of pieces of document information on the basis of an operation input from the verifier, for example.
  • the second acquisition unit 611 may receive a start trigger to start processing of any one of the functional units.
  • the start trigger is, for example, predetermined operation input made by the user.
  • the start trigger may be, for example, reception of predetermined information from another computer.
  • the start trigger may be, for example, output of predetermined information by any one of the functional units.
  • the second acquisition unit 611 receives, for example, the acquisition of the aggregate signature information and the aggregate public key information associated with the plurality of pieces of document information as the start trigger to start the processing of the verification unit 612.
  • the verification unit 612 verifies the validity of the received aggregate signature information on the basis of the plurality of pieces of document information, the received aggregate signature information, and the received aggregate public key information.
  • the verification unit 612 verifies the validity of the received aggregate signature information on the basis of the hash value corresponding to each piece of document information of the plurality of pieces of document information, the received aggregate signature information, and the received aggregate public key information, for example. Therefore, the verification unit 612 can verify the validity of the aggregate signature information, and can verify the validity of the document information.
  • the second output unit 613 outputs a processing result of at least any one of the functional units.
  • An output format is, for example, display on a display, print output to a printer, transmission to an external device by the network I/F 503, or storage to the storage area such as the memory 502 or the recording medium 505. Therefore, the second output unit 613 can notify the user of the processing result of at least one of the functional units.
  • the second output unit 613 outputs the result verified by the verification unit 612, for example.
  • the present embodiment is not limited to the case.
  • the information processing device 100 includes the verification unit 612.
  • the information processing device 100 includes the second generation unit 605 has been described here.
  • the present embodiment is not limited to the case.
  • the information processing device 100 does not have the second generation unit 605 and another computer has the second generation unit 605.
  • FIG. 7 is a block diagram illustrating a specific functional configuration example of the signature-side terminal 201 corresponding to the author.
  • the signature-side terminal 201 corresponding to the author includes a key pair generation unit 700, a data reception unit 701, a seed value generation unit 702, a document creation unit 703, a hash value calculation unit 704, a signature generation unit 705, and a data transmission unit 706.
  • the signature-side terminal 201 corresponding to the author includes a private key storage unit 710 and a public key storage unit 720.
  • the private key storage unit 710 stores a private key generated by the signature-side terminal 201.
  • the public key storage unit 720 stores a public key generated by the signature-side terminal 201.
  • the key pair generation unit 700 generates a key pair of the private key and the public key, stores the private key in the private key storage unit 710 and stores the public key in the public key storage unit 720.
  • the data reception unit 701 receives data for generating a message.
  • the seed value generation unit 702 generates a seed.
  • the document creation unit 703 creates a message on the basis of received data.
  • the hash value calculation unit 704 calculates a hash value corresponding to the generated message.
  • the signature generation unit 705 generates a signature to be added to the message on the basis of the calculated hash value.
  • the data transmission unit 706 transmits a message with signature to which the generated signature is added to the document management server 205.
  • the message with signature to which the generated signature is added is stored in a document with signature storage unit 1110, which will be described below with reference to FIG. 11 .
  • the data transmission unit 706 transmits the public key to the private CA server 204.
  • the public key is stored in a personal public key storage unit 1010, which will be described below with reference to FIG. 10 .
  • FIG. 8 is a block diagram illustrating a specific functional configuration example of the signature-side terminal 202 corresponding to the approver.
  • the signature-side terminal 202 corresponding to the approver includes a key pair generation unit 800, a data reception unit 801, a document creation unit 802, a hash value calculation unit 803, a signature generation unit 804, and a data transmission unit 805.
  • the signature-side terminal 202 corresponding to the approver includes a private key storage unit 810 and a public key storage unit 820.
  • the private key storage unit 810 stores a private key generated by the signature-side terminal 202.
  • the public key storage unit 820 stores a public key generated by the signature-side terminal 202.
  • the key pair generation unit 800 generates a key pair of the private key and the public key, stores the private key in the private key storage unit 810 and stores the public key in the public key storage unit 820.
  • the data reception unit 801 receives a message with signature from the document management server 205.
  • the data reception unit 801 receives data for revising the received message with signature and generating a new message.
  • the document creation unit 802 generates a new message on the basis of the received message with signature and the received data.
  • the hash value calculation unit 803 calculates a hash value corresponding to the generated message.
  • the signature generation unit 804 generates a signature to be added to the message on the basis of the calculated hash value.
  • the data transmission unit 805 transmits the message with signature to which the generated signature is added to the document management server 205.
  • the message with signature to which the generated signature is added is stored in a document with signature storage unit 1110, which will be described below with reference to FIG. 11 .
  • the data transmission unit 805 transmits the public key to the private CA server 204.
  • the public key is stored in a personal public key storage unit 1010, which will be described below with reference to FIG. 10 .
  • a specific functional configuration example of the signature-side terminal 203 corresponding to the authorizer is similar to the specific functional configuration example of the signature-side terminal 202 corresponding to the approver, for example.
  • FIG. 9 is a block diagram illustrating a specific functional configuration example of the verification-side terminal 207.
  • the verification-side terminal 207 includes a data reception unit 901, a hash chain verification unit 902, and an aggregate signature verification unit 903. Furthermore, the verification-side terminal 207 includes a document with aggregate signature storage unit 910.
  • the public CA server 206 includes an organization public key storage unit 900. The organization public key storage unit 900 stores the aggregate public key.
  • the document with aggregate signature storage unit 910 stores a message with aggregate signature.
  • the message with aggregate signature is transmitted from the document management server 205, for example.
  • the data reception unit 901 receives the aggregate public key to be used when the validity of the aggregate signature is verified from the public CA server 206.
  • the hash chain verification unit 902 verifies the validity of the hash chain corresponding to the message with aggregate signature on the basis of the check hash value added to the message with aggregate signature.
  • the hash chain verification unit 902 passes the message with aggregate signature to the aggregate signature verification unit 903 in a case where the hash chain corresponding to the message with aggregate signature is valid.
  • the aggregate signature verification unit 903 verifies the validity of the aggregate signature added to the message with aggregate signature on the basis of the aggregate public key.
  • FIG. 10 is a block diagram illustrating a specific functional configuration example of the private CA server 204.
  • the private CA server 204 includes an aggregate public key generation unit 1001 and a public key registration application unit 1002. Furthermore, the private CA server 204 includes a personal public key storage unit 1010.
  • the personal public key storage unit 1010 stores the public keys generated by the respective signature-side terminals 201 to 203.
  • the aggregate public key generation unit 1001 aggregates the public keys generated by the respective signature-side terminals 201 to 203 and stored in the personal public key storage unit 1010 to generate an aggregate public key.
  • the public key registration application unit 1002 transmits the generated aggregate public key to the public CA server 206.
  • the generated aggregate public key is stored in the organization public key storage unit 900 illustrated in FIG. 9 .
  • FIG. 11 is an explanatory diagram illustrating a specific functional configuration example of the document management server 205.
  • the document management server 205 includes an aggregate signature generation unit 1101 and a data transmission unit 1102. Furthermore, the document management server 205 includes the document with signature storage unit 1110.
  • the document with signature storage unit 1110 stores the messages with signature generated by the respective signature-side terminals 201 to 203.
  • the aggregate signature generation unit 1101 aggregates the signatures added to the messages with signature stored in the document with signature storage unit 1110 to generate an aggregate signature.
  • the aggregate signature generation unit 1101 adds the generated aggregate signature to the final version of the message to generate a message with aggregate signature.
  • the data transmission unit 1102 transmits the generated message with aggregate signature to the verification-side terminal 207. In the verification-side terminal 207, the generated message with aggregate signature is stored in the document with aggregate signature storage unit 910 illustrated in FIG. 9 .
  • FIG. 12 is an explanatory diagram illustrating an example of the operation of the signature control system 200.
  • order is assumed to be p.
  • a value used when, for example, generating a public key or when generating a signature is assumed to be g.
  • a cryptographic hash function is assumed to be H(x).
  • H(x) a secure hash algorithm such as SHA256 or SHA-3 is used, for example.
  • the signature-side terminals 201 to 203 uniformly and randomly select x from the remainder group Z p and set x as the private key.
  • the signature-side terminals 201 to 203 generate the signature for a message m on the basis of the private key x.
  • the signature-side terminals 201 to 203 set the signature elements s and R to the signature (s, R) for the message m, and transmit the message to the document management server 205.
  • the document management server 205 has messages m 1 , m 2 , and m 3 and three signatures (s 1 , R 1 ), (s 2 , R 2 ), and (s 3 , R 3 ) corresponding to the messages m 1 , m 2 , and m 3 , respectively.
  • the document management server 205 aggregates the three signatures (s 1 , R 1 ), (s 2 , R 2 ), and (s 3 , R 3 ) into a single aggregate signature (s', R').
  • the document management server 205 sets the single aggregate signature (s', R').
  • the document management server 205 aggregates three public keys X 1 , X 2 , and X 3 into a single aggregate public key X'.
  • the verification-side terminal 207 verifies the validity of the aggregate signature (s', R') on the basis of the aggregate public key X'.
  • the verification-side terminal 207 can verify the validity of the single aggregate signature (s', R') and determine whether messages m 1 , m 2 , and m 3 are valid or not. Furthermore, the verification-side terminal 207 can verify the validity of the single aggregate signature (s', R') and determine whether the three signatures (s 1 , R 1 ), (s 2 , R 2 ), and (s 3 , R 3 ) are valid or not. Therefore, the verification-side terminal 207 can improve security. The verification-side terminal 207 can verify the validity of the single aggregate signature (s', R') on the basis of the single aggregate public key X' regardless of the number of signatures, and can reduce the processing amount for the verification.
  • FIGs. 13 to 15 are explanatory diagrams illustrating specific examples of the operation of the signature control system 200.
  • the signature control system 200 enables verification for a process in which a plurality of versions of documents is generated on the basis of the content of the final version of the document while hiding documents other than the final version among the plurality of versions of documents from the verifier.
  • the author creates a first version of the document.
  • the approver creates a second version of the document on the basis of the first version of the document.
  • the authorizer creates a third edition of the document on the basis of the second version of the document.
  • the third version of the document is finalized as the final version of the document. In this way, the situation is that the document is revised step by step.
  • the document management server 205 obtains the final version of the document based on the third version of the document.
  • the single aggregate signature (s', R') becomes an e-Seal representing the corporation.
  • An example of setting the auxiliary parameter d will be specifically described below with reference to FIGs. 17 and 18 .
  • the document management server 205 generates the single aggregate signature (s', R').
  • the private CA server 204 transmits the aggregate public key X' to the public CA server 206 located outside the corporation. Here, the description will move onto FIG. 14 .
  • the document management server 205 generates a hash chain 1400 and a check hash value chk hash .
  • the document management server 205 generates the check hash value chk hash on the basis of, for example, the hash chain 1400 formed from the seed value and a message hash hs i of each version of the document.
  • the document management server 205 calculates a first hash value on the basis of the seed value and a message hash hs 1 of the first version of the document, using a hash function. Specifically, the document management server 205 calculates a second hash value on the basis of the calculated first hash value and a message hash hsz of the second version of the document, using the hash function. Specifically, the document management server 205 calculates a third hash value on the basis of the calculated second hash value and a message hash hs 3 of the third version of the document, using the hash function.
  • the document management server 205 sets the third hash value to the check hash value chk hash .
  • the document management server 205 associates the grouped verification information with the generated single aggregate signature (s', R') to transmit thereof to the verification-side terminal 207.
  • the verification-side terminal 207 receives the grouped verification information and the generated single aggregate signature (s', R').
  • the verification-side terminal 207 acquires the generated aggregate public key X' from the public CA server 206.
  • the description will move onto FIG. 15 .
  • the verification-side terminal 207 generates a hash chain 1500 and a check hash value chk hash .
  • the verification-side terminal 207 generates the check hash value chk hash on the basis of, for example, the hash chain 1500 formed from the seed value, a message hash hs 1 of the first version of the document, a message hash hsz of the second version of the document, and the final version of the document.
  • the verification-side terminal 207 sets the third hash value to the check hash value chk hash .
  • the verification-side terminal 207 determines whether the set check hash value chk hash matches or not the check hash value chk hash included in the received verification information. Here, in a case of determining they match, the verification-side terminal 207 determines that the hash chain 1500 is valid. On the other hand, in a case of determining they do not match, the verification-side terminal 207 determines that the hash chain 1500 is not valid and the final version of the document is not valid.
  • the verification-side terminal 207 verifies the validity of the received single aggregate signature (s', R') on the basis of the received aggregate public key X'.
  • the verification-side terminal 207 determines that the single aggregate signature (s', R') is valid.
  • the verification-side terminal 207 determines that the single aggregate signature (s',R') is not valid and the final version of the document is not valid.
  • the verification-side terminal 207 determines that the final version of the document is valid in the case where the hash chain 1500 is valid and the single aggregate signature (s', R') is valid. Therefore, the verification-side terminal 207 can prevent the verifier from mistakenly recognizing an invalid document as a valid document.
  • the verification-side terminal 207 can verify the validity of the single aggregate signature (s', R') by acquiring the single aggregate public key X' without acquiring a plurality of public keys. As a result, the verification-side terminal 207 can reduce the cost incurred when verifying the validity of the single aggregate signature (s', R').
  • the verification-side terminal 207 can confirm that the first and second versions of the document have not been falsified or replaced. Therefore, the verification-side terminal 207 can improve security.
  • FIG. 16 is an explanatory diagram illustrating an example of verifying a signature.
  • the document management server 205 detects that the single aggregate signature (s', R') has been determined not to be valid and verification has failed.
  • the document management server 205 receives, for example, a notification from the verification-side terminal 207 that the verification of the single aggregate signature (s', R') has failed. In this case, it is considered that at least one of the signatures that are aggregation sources of the single aggregate signature (s',R') has a cause of the verification failure.
  • the document management server 205 finds the signature that causes the verification failure and causes the signature-side terminals 201 to 203 to regenerate the signature that causes the verification failure.
  • FIGs. 17 and 18 are explanatory diagrams illustrating an example of setting the auxiliary parameter d.
  • the document management server 205 efficiently calculates the auxiliary parameter d using properties of remainders.
  • the document management server 205 sets, for example, the order p to a safe prime.
  • the document management server 205 performs binary expansion of each message hash c i by a 2 k division algorithm to transform the message hash c i into a format of " c i ' ⁇ 2 ⁇ (-t i )•c i " illustrated in mathematical expressions 1711 to 171n.
  • the document management server 205 sorts the format of " c i ' ⁇ 2 ⁇ (-t i )•c i " illustrated in the mathematical expressions 1711 to 171n in order of t 1 ⁇ t 2 ⁇ ... ⁇ t N using a t i sort algorithm.
  • the document management server 205 calculates C illustrated in the mathematical expression 1720 using a C calculation algorithm.
  • the document management server 205 calculates a reciprocal y, illustrated in the mathematical expressions 1731 to 173n for each c i ' using a reciprocal calculation algorithm.
  • the document management server 205 calculates d i illustrated in the mathematical expressions 1741 to 174n on the basis of the calculated C and each reciprocal y, using a d calculation algorithm.
  • the document management server 205 groups up the calculated d i and sets the auxiliary parameter d illustrated in the mathematical expression 1750. Next, description will move onto FIG. 18 .
  • Table 1800 in FIG. 18 illustrates a processing time spent on setting the auxiliary parameter d.
  • the document management server 205 can reduce the processing time spent on setting the auxiliary parameter d according to the method illustrated in FIG. 17 compared to the method of the comparative example.
  • the document management server 205 can, for example, make the processing time O(N) instead of O(N 2 ).
  • the document management server 205 can set the auxiliary parameter d in a relatively short processing time even if the number of signatures increases.
  • FIGs. 19 and 20 are explanatory diagrams illustrating an example of revising the aggregate signature.
  • one of the approvers cannot approve the document, cannot operate the signature-side terminals 201 to 203, and cannot add the signature to the document, which are defined in the approval flow.
  • one of the approvers is absent due to on vacation, on a business trip or the like, cannot operate the signature-side terminals 201 to 203, and cannot add the signature to the document.
  • the signature control system 200 cannot generate the aggregate signature that is verifiable with the aggregate public key in the case where one of the approvers is on vacation, on a business trip or the like, the convenience of the signature control system 200 will be lowered. Therefore, it is desirable that, in the signature control system 200, the public key is temporarily invalidated and an aggregate signature verifiable with the aggregate public key is made generable even if the signature is not added to the document by one of the approvers. Furthermore, in the case where the approver is on vacation, on a business trip or the like, changing the approval flow and redistributing the aggregate public key is not favorable from the viewpoint of work costs and the like.
  • the document management server 205 corrects the aggregate signature in which the signature corresponding to one of the approvers is not aggregated and generates a revised signature on the basis of a message m i and a public key pk rev to be invalidated corresponding to the one of the approvers.
  • the description will move onto FIG. 20 , and a specific example in which the document management server 205 revises the aggregate signature will be described.
  • the document management server 205 receives designation of the public key X 2 to be invalidated.
  • the revised signature may be generated so that the following expression (1) holds.
  • FIG. 21 is an explanatory diagram illustrating effects by the signature control system 200.
  • Table 2100 in FIG. 21 illustrates the number of public keys managed by the private CA server 204 and the number of public keys managed by the public CA server 206.
  • Table 2100 illustrates the number of public keys managed by the private CA server 204 and the number of public keys managed by the public CA server 206 in the signature control system 200, for example.
  • Table 2100 illustrates the number of public keys managed by a conventional private CA server 204 and the number of public keys managed by a conventional public CA server 206, for example.
  • the signature control system 200 can reduce the number of public keys managed by the public CA server 206 from N to 1 compared to the conventional system. Therefore, the signature control system 200 can reduce the cost incurred when managing the public keys and the cost incurred when using the public keys.
  • the conventional public CA server 206 stores 2048 ⁇ 100 [bits] of information in a case where there are 100 approvers. Therefore, conventionally, the processing cost incurred when verifying the validity of the aggregate signature is O(N).
  • the signature control system 200 only needs to use the single aggregate public key when verifying the validity of the aggregate signature, and thus can reduce the processing cost incurred when verifying the validity of the aggregate signature to O(1).
  • the signature control system 200 can fix the information managed by the public CA server 206 to 2048 [bits] regardless of the number of approvers.
  • the key generation processing is implemented by, for example, the CPU 301, a storage area such as the memory 302 or the recording medium 305, the network I/F 303 illustrated in FIG. 3 , and the like.
  • FIG. 22 is a flowchart illustrating an example of a key generation processing procedure.
  • the private CA server 204 transmits a key generation request to the signature-side terminals 201 to 203 corresponding to the author, approver, and authorizer (step S2201).
  • the signature-side terminals 201 to 203 when receiving the key generation request, the signature-side terminals 201 to 203 generate a key pair of a private key x i and a public key X i (step S2202). Next, the signature-side terminals 201 to 203 store the generated private key x i (step S2203). The signature-side terminals 201 to 203 then store the generated public key X i (step S2204). The signature-side terminals 201 to 203 then transmit the generated public key X i to the private CA server 204 (step S2205).
  • the public CA server 206 when receiving the request for creating a digital certificate for the aggregate public key X', creates the digital certificate for the aggregate public key X' and transmits the digital certificate to the private CA server 204 (step S2209).
  • the private CA server 204 stores the received digital certificate of the aggregate public key X' (step S2210).
  • the private CA server 204 creates and stores a digital certificate for the public key X i (step S2211). Thereafter, the signature control system 200 terminates the key generation processing.
  • the document creation processing is implemented by, for example, the CPU 301, a storage area such as the memory 302 or the recording medium 305, the network I/F 303 illustrated in FIG. 3 , and the like.
  • FIG. 23 is a flowchart illustrating an example of a document creation processing procedure.
  • the signature-side terminal 201 generates a seed and transmits the seed to the document management server 205 (step S2301).
  • the document management server 205 receives the seed (step S2302).
  • the signature-side terminal 201 generates a document m 1 (step S2303).
  • the signature-side terminal 201 generates a hash value hs 1 on the basis of the seed and document m 1 (step S2304).
  • the signature-side terminal 201 obtains a private key x 1 (step S2305).
  • the signature-side terminal 201 generates a signature ⁇ 1 for the document m 1 on the basis of the private key x 1 (step S2306). Then, the signature-side terminal 201 transmits the document m 1 , the hash value hs 1 , and the signature ⁇ 1 to the document management server 205 (step S2307).
  • the document management server 205 receives the document m 1 , the hash value hs 1 , and the signature ⁇ 1 from the signature-side terminal 201 (step S2308). Next, the document management server 205 determines whether the received hash value hs 1 corresponds to the received seed and the received document m 1 or not (step S2309).
  • step S2309 verification failure
  • the document management server 205 transmits a verification failure notification to the signature-side terminal 201. Then, the signature-side terminal 201 proceeds to the processing of step S2312.
  • the document management server 205 determines that the verification has succeeded and proceeds to the processing of steps S2310 and S2311.
  • the document management server 205 acquires the public key X 1 (step S2310). Then, the document management server 205 determines whether the received signature ⁇ 1 is valid or not on the basis of the public key X 1 (step S2311).
  • step S2311 verification failure
  • the document management server 205 transmits the verification failure notification to the signature-side terminal 201. Then, the signature-side terminal 201 proceeds to the processing of step S2312.
  • step S2311 verification success
  • the document management server 205 determines that the verification has succeeded and proceeds to the processing of step S2313.
  • step S2312 when receiving the verification failure notification, the signature-side terminal 201 regenerates the signature ⁇ 1 (step S2312). Then, the signature-side terminal 201 returns to the processing of step S2301.
  • step S2313 the document management server 205 stores the received document m 1 , the received hash value hs 1 , and the received signature ⁇ 1 in the control information management table 400 of its own device (step S2313).
  • the document management server 205 transmits a notification that the document m 1 has been registered to the signature-side terminal 201 (step S2314).
  • the signature-side terminal 201 receives the notification that the document m 1 has been registered (step S2315). Thereafter, the signature control system 200 terminates the document creation processing.
  • the document approval processing is implemented by, for example, the CPU 301, a storage area such as the memory 302 or the recording medium 305, the network I/F 303 illustrated in FIG. 3 , and the like.
  • FIG. 24 is a flowchart illustrating an example of a document approval processing procedure.
  • the document management server 205 transmits the stored document m 1 , hash value hs 1 , and signature ⁇ 1 to the signature-side terminal 202 corresponding to the approver (step S2401).
  • the signature-side terminal 201 receives the document m 1 , the hash value hs 1 , and the signature ⁇ 1 (step S2402).
  • the signature-side terminal 202 generates a document m 2 (step S2403).
  • the signature-side terminal 202 generates a hash value hs 2 on the basis of the hash value hs 1 and the document m 2 (step S2404).
  • the signature-side terminal 202 obtains a private key x 2 (step S2405). Then, the signature-side terminal 202 generates a signature ⁇ 2 for the document m 2 on the basis of the private key x 2 (step S2406). Then, the signature-side terminal 202 transmits the document m 2 , the hash value hs 2 , and the signature ⁇ 2 to the document management server 205 (step S2407).
  • the document management server 205 receives the document m 2 , the hash value hs 2 , and the signature ⁇ 2 from the signature-side terminal 202 (step S2408). Then, the document management server 205 determines whether the received hash value hs 2 corresponds to the hash value hs 1 and the received document m 2 or not (step S2409).
  • step S2409 verification failure
  • the document management server 205 transmits a verification failure notification to the signature-side terminal 202. Then, the signature-side terminal 202 proceeds to the processing of step S2412.
  • the document management server 205 determines that the verification has succeeded and proceeds to the processing of steps 52410 and S2411.
  • the document management server 205 acquires the public key X 2 (step S2410). Then, the document management server 205 determines whether the received signature ⁇ 2 is valid or not on the basis of the public key X 2 (step S2411).
  • step S2411 verification failure
  • the document management server 205 transmits the verification failure notification to the signature-side terminal 202. Then, the signature-side terminal 202 proceeds to the processing of step S2412.
  • step S2411 verification success
  • the document management server 205 determines that the verification has succeeded and proceeds to the processing of step S2413.
  • step S2412 when receiving the verification failure notification, the signature-side terminal 202 regenerates the signature ⁇ 2 (step S2412). Then, the signature-side terminal 202 returns to the processing of step S2402.
  • step S2413 the document management server 205 stores the received document m 2 , the received hash value hs 2 , and the received signature ⁇ 2 in the control information management table 400 of its own device (step S2413).
  • the document management server 205 transmits a notification that the document m 2 has been registered to the signature-side terminal 202 (step S2414).
  • the signature-side terminal 202 receives the notification that the document m 2 has been registered (step S2415). Thereafter, the signature control system 200 terminates the document approval processing.
  • the document authorization processing is implemented by, for example, the CPU 301, a storage area such as the memory 302 or the recording medium 305, the network I/F 303 illustrated in FIG. 3 , and the like.
  • FIG. 25 is a flowchart illustrating an example of a document authorization processing procedure.
  • the document management server 205 transmits the stored document m 2 , hash value hs 2 , and signature ⁇ 2 to the signature-side terminal 203 corresponding to the authorizer (step S2501).
  • the signature-side terminal 203 receives the document m 2 , the hash value hs 2 , and the signature ⁇ 2 (step S2502). Then, the signature-side terminal 203 generates a document m 3 (step S2503). Then, the signature-side terminal 203 generates a hash value hss on the basis of the hash value hs 2 and the document m 3 (step S2504).
  • the signature-side terminal 203 obtains a private key x 3 (step S2505). Then, the signature-side terminal 203 generates a signature ⁇ 3 for the document m 3 on the basis of the private key x 3 (step S2506). Then, the signature-side terminal 203 transmits the document m 3 , the hash value hs 3 , and the signature ⁇ 3 to the document management server 205 (step S2507).
  • the document management server 205 receives the document m 3 , the hash value hs 3 , and the signature ⁇ 3 from the signature-side terminal 203 (step S2508). Then, the document management server 205 determines whether the received hash value hs 3 corresponds to the hash value hs 2 and the received document m 3 or not (step S2509).
  • step S2509 verification failure
  • the document management server 205 transmits a verification failure notification to the signature-side terminal 203. Then, the signature-side terminal 203 proceeds to the processing of step S2512.
  • the document management server 205 determines that the verification has succeeded and proceeds to the processing of steps S2510 and S2511.
  • the document management server 205 acquires the public key X 3 (step S2510). Then, the document management server 205 determines whether the received signature ⁇ 3 is valid or not on the basis of the public key X 3 (step S2511).
  • step S2511 verification failure
  • the document management server 205 transmits the verification failure notification to the signature-side terminal 203. Then, the signature-side terminal 203 proceeds to the processing of step S2512.
  • step S2511 verification success
  • the document management server 205 determines that the verification has succeeded and proceeds to the processing of step S2513.
  • step S2512 when receiving the verification failure notification, the signature-side terminal 203 regenerates the signature ⁇ 3 (step S2512). Then, the signature-side terminal 203 returns to the processing of step S2502.
  • step S2513 the document management server 205 stores the received document m 3 , the received hash value hs 3 , and the received signature ⁇ 3 in the control information management table 400 of its own device (step S2513).
  • the document management server 205 generates the final version of a document m f on the basis of the received document m 3 , and stores the document m f in the control information management table 400 of its own device (step S2514).
  • the document management server 205 transmits a notification that the document m 3 has been registered to the signature-side terminal 203 (step S2515).
  • the signature-side terminal 203 receives the notification that the document m 3 has been registered (step S2516).
  • the signature control system 200 then terminates the document authorization processing.
  • the signature aggregation processing is implemented by, for example, the CPU 301, a storage area such as the memory 302 or the recording medium 305, the network I/F 303 illustrated in FIG. 3 , and the like.
  • FIG. 26 is a flowchart illustrating an example of a signature aggregation processing procedure.
  • the document management server 205 transmits a notification that the document is to be transmitted to the verification-side terminal 207 (step S2601). Meanwhile, when receiving the notification, the verification-side terminal 207 transmits a request for the organization's public key certificate to the document management server 205 (step S2602).
  • the document management server 205 transmits the digital certificate of the registered public key X' to the verification-side terminal 207 (step S2603). Meanwhile, the verification-side terminal 207 verifies the received digital certificate of the public key X' (step S2604). The verification-side terminal 207 transmits a verification failure notification to the document management server 205 in a case of verification failure. Then, the verification-side terminal 207 proceeds to the processing of step S2609.
  • the document management server 205 confirms whether the public key X' is valid or not (step S2605).
  • the document management server 205 may regenerate the public key X' in a case where the public key X' is not valid.
  • the document management server 205 acquires the hash value hs i and signature information ⁇ i (step S2606). Then, the document management server 205 generates aggregate signature information ⁇ ' on the basis of the hash value hs i and the signature information ⁇ i (step S2607). Then, the document management server 205 transmits the final version of the document m f and the generated aggregate signature information ⁇ ' to the verification-side terminal 207 in association with each other (step S2608).
  • the verification-side terminal 207 verifies the hash chain (step S2609). In a case of verification success, the verification-side terminal 207 proceeds to the processing of step S2610. The verification-side terminal 207 transmits a verification failure notification to the document management server 205 in a case of verification failure.
  • step 52610 the verification-side terminal 207 verifies the aggregate signature information ⁇ ' (step S2610). In a case of verification success, the verification-side terminal 207 proceeds to the processing of step S2611. The verification-side terminal 207 transmits a verification failure notification to the document management server 205 in a case of verification failure.
  • step S2611 the verification-side terminal 207 recognizes that verification of the document m n has been succeeded (step S2611).
  • the document management server 205 investigates the cause by executing re-verification processing to be described below in FIG. 27 , using Re-Verify (step S2612).
  • the signature control system 200 then terminates the signature aggregation processing.
  • the re-verification processing is implemented by, for example, the CPU 301, a storage area such as the memory 302 or the recording medium 305, and the network I/F 303 illustrated in FIG. 3 .
  • FIG. 27 is a flowchart illustrating an example of a re-verification processing procedure.
  • the document management server 205 verifies aggregate signature information s 1,1 and confirms that the verification has failed (step S2701).
  • the document management server 205 verifies aggregate signature information s 2,1 (step S2702). In a case of verification success, the document management server 205 proceeds to the processing of step S2703. On the other hand, in a case of verification failure, the document management server 205 proceeds to the processing of step S2704.
  • step S2703 the document management server 205 verifies aggregate signature information s 2,2 (step S2703).
  • the document management server 205 determines that an invalid signature is not present in a case of verification success, and terminates the re-verification processing.
  • the document management server 205 executes processing similar to the processing of step S2704 and subsequent steps.
  • step S2704 the document management server 205 verifies aggregate signature information s 3,1 (step S2704). In a case of verification success, the document management server 205 proceeds to the processing of step S2705. On the other hand, in a case of verification failure, the document management server 205 proceeds to the processing of step S2706.
  • step S2705 the document management server 205 verifies aggregate signature information s 3,2 (step S2705).
  • the document management server 205 determines that an invalid signature is not present in a case of verification success, and terminates the re-verification processing.
  • the document management server 205 executes processing similar to the processing of step S2706 and subsequent steps.
  • step S2706 the document management server 205 verifies aggregate signature information s 4,1 (step S2706).
  • the document management server 205 recursively executes processing of verifying aggregate signature information s x>4,y according to the verification success and verification failure. Thereafter, the document management server 205 moves onto the processing of step S2707.
  • step S2707 the document management server 205 specifies the verification-failed signature ⁇ i , regenerates the verification-failed signature ⁇ i , and regenerates the aggregate signature information ⁇ ' (step S2707).
  • the document management server 205 outputs the regenerated aggregate signature information ⁇ ' (step S2708). Then, the document management server 205 terminates the re-verification processing.
  • the another signature aggregation processing is implemented by, for example, the CPU 301, a storage area such as the memory 302 or the recording medium 305, the network I/F 303 illustrated in FIG. 3 , and the like.
  • FIG. 28 is a flowchart illustrating an example of another signature aggregation processing procedure.
  • the document management server 205 transmits a notification that the document is to be transmitted to the verification-side terminal 207 (step S2801). Meanwhile, when receiving the notification, the verification-side terminal 207 transmits a request for the organization's public key certificate to the document management server 205 (step S2802).
  • the document management server 205 transmits the digital certificate of the registered public key X' to the verification-side terminal 207 (step S2803). Meanwhile, the verification-side terminal 207 verifies the received digital certificate of the public key X' (step S2804). The verification-side terminal 207 transmits a verification failure notification to the document management server 205 in a case of verification failure. Then, the verification-side terminal 207 proceeds to the processing of step S2810.
  • the document management server 205 confirms whether the public key X' is valid or not (step S2805).
  • the document management server 205 may regenerate the public key X' in a case where the public key X' is not valid.
  • the document management server 205 acquires the hash value hs i and the signature information ⁇ i (step S2806). Then, the document management server 205 generates aggregate signature information ⁇ ' on the basis of the hash value hs i and the signature information ⁇ i (step S2807).
  • the document management server 205 executes invalidation processing to be described below with reference to FIG. 29 (step S2808). Then, the document management server 205 transmits the final version of the document m n and the generated aggregate signature information ⁇ ' to the verification-side terminal 207 in association with each other (step S2809).
  • the verification-side terminal 207 verifies the hash chain (step S2810). In a case of verification success, the verification-side terminal 207 proceeds to the processing of step S2811. The verification-side terminal 207 transmits a verification failure notification to the document management server 205 in a case of verification failure.
  • step S2811 the verification-side terminal 207 verifies the aggregate signature information ⁇ ' (step S2811). In a case of verification success, the verification-side terminal 207 proceeds to the processing of step S2812. The verification-side terminal 207 transmits a verification failure notification to the document management server 205 in a case of verification failure.
  • step S2812 the verification-side terminal 207 recognizes that verification of the document m n has been succeeded (step S2812).
  • the document management server 205 investigates the cause by executing the re-verification processing illustrated in FIG. 27 , using Re-Verify (step S2813).
  • the signature control system 200 then terminates the signature aggregation processing.
  • the invalidation processing is implemented by, for example, the CPU 301, a storage area such as the memory 302 or the recording medium 305, and the network I/F 303 illustrated in FIG. 3 .
  • FIG. 29 is a flowchart illustrating an example of the invalidation processing procedure.
  • the document management server 205 determines whether there is a public key to be temporarily invalidated or not (step S2901).
  • step S2901 the document management server 205 terminates the invalidation processing.
  • step S2901: Yes the document management server 205 proceeds to processing in step S2902.
  • step S2902 the document management server 205 inquires of the private CA server 204 about the public key to be invalidated (step S2902). Meanwhile, the private CA server 204 transmits the public key to be invalidated to the document management server 205 in response to the inquiry (step S2903).
  • the document management server 205 generates revised signature information ⁇ " obtained by revising the aggregate signature information ⁇ ' on the basis of the public key to be invalidated (step S2904). Next, the document management server 205 outputs the revised signature information ⁇ " (step S2905). Then, the document management server 205 terminates the invalidation processing.
  • the information processing device 100 it is possible to acquire a plurality of pieces of document information and signature information corresponding to each piece of document information of the plurality of pieces of document information. According to the information processing device 100, it is possible to generate aggregate signature information obtained by aggregating the signature information corresponding to each piece of document information of the plurality of acquired pieces of document information on the basis of the plurality of acquired pieces of document information. According to the information processing device 100, it is possible to output the generated aggregate signature information in association with the aggregate public key information obtained by aggregating the public key information corresponding to each piece of document information of the plurality of pieces of document information and the plurality of pieces of document information. Therefore, the information processing device 100 enables the aggregate signature information to be verifiable even if the number of pieces of key information to be used when verifying the aggregate signature information is one and can reduce the cost incurred when verifying the aggregate signature information.
  • the information processing device 100 it is possible to generate the aggregate public key information on the basis of the public key information corresponding to each piece of document information of the plurality of acquired pieces of document information. Therefore, the information processing device 100 can reduce the number of pieces of key information to be used when verifying the aggregate signature information, and can reduce the cost incurred when verifying the aggregate signature information.
  • the information processing device 100 it is possible to generate the aggregate signature information on the basis of the hash value corresponding to each piece of document information of the plurality of acquired pieces of document information. Therefore, the information processing device 100 can generate the aggregate signature information obtained by aggregating the signature information based on the hash value.
  • the information processing device 100 it is possible to enable the validity of the generated aggregate signature information to be verifiable on the basis of the plurality of acquired pieces of document information, the generated aggregate signature information, and the generated aggregate public key information. Therefore, the information processing device 100 enables the aggregate signature information to be verifiable even if the number of pieces of key information to be used when verifying the aggregate signature information is one and can reduce the cost incurred when verifying the aggregate signature information.
  • the information processing device 100 it is possible to receive the aggregate signature information and the aggregate public key information associated with the plurality of pieces of document information. According to the information processing device 100, it is possible to verify the validity of the received aggregate signature information on the basis of the plurality of pieces of document information, the received aggregate signature information, and the received aggregate public key information. Therefore, the information processing device 100 can verify the validity of the aggregate signature information, confirm whether the plurality of pieces of document information have been falsified or not, and improve security.
  • the information processing device 100 it is possible to detect that the aggregate signature information is not valid. According to the information processing device 100, it is possible to acquire two pieces of aggregate signature information: aggregate signature information obtained by aggregating some pieces of signature information; and aggregate signature information obtained by aggregating pieces of signature information other than the some pieces of signature information, among the pieces of signature information that are aggregation sources of the aggregate signature information. According to the information processing device 100, it is possible to output a result of verifying the validity of each of the acquired two pieces of aggregate signature information. Therefore, the information processing devices 100 can specify any piece of signature information serving as an aggregation source that causes the aggregate signature information to be invalid.
  • the information processing device 100 it is possible to detect that at least one piece of aggregate signature information, of the acquired two pieces of aggregate signature information, is not valid. According to the information processing device 100, it is possible to newly acquire two pieces of aggregate signature information: aggregate signature information obtained by aggregating some pieces of signature information; and aggregate signature information obtained by aggregating pieces of signature information other than the some pieces of signature information, among the pieces of signature information that are aggregation sources of any piece of the aggregate signature information. According to the information processing device 100, it is possible to output a result of verifying the validity of each of the newly acquired two pieces of aggregate signature information. Therefore, the information processing devices 100 can specify any piece of signature information serving as an aggregation source that causes the aggregate signature information to be invalid.
  • the information processing device 100 it is possible to generate aggregate public key information obtained by aggregating the public key information corresponding to each piece of document information of the plurality of acquired pieces of document information, and public key information not corresponding to any document information of the plurality of acquired pieces of document information. According to the information processing device 100, it is possible to generate revised signature information obtained by revising the generated aggregate signature information on the basis of the public key information not corresponding to any document information. According to the information processing device 100, it is possible to output the generated revised signature information in association with the aggregate public key information and the plurality of acquired pieces of document information. Therefore, the information processing device 100 can generate the verifiable revised signature information on the basis of the aggregate public key information even if there is no signature information based on any public key information.
  • the information processing device 100 it is possible to generate the aggregate public key information on the basis of the public key information corresponding the private key information to be used when generating the signature information corresponding to each piece of document information of the plurality of acquired pieces of document information. Therefore, the information processing device 100 can aggregate the public key information capable of verifying the signature information and can generate the aggregate public key information.
  • the information processing device 100 it is possible to adopt pieces of document information indicating respective versions of a plurality of versions of the first document. Therefore, the information processing device 100 can be applied to a situation where the document is being revised.
  • the information processing device 100 it is possible to output the hash value generated on the basis of the hash chain formed with the seed and the hash value corresponding to each version of the first document in association with the aggregate signature information. Therefore, the information processing device 100 can confirm whether a plurality of pieces of document information has been falsified, and improve security.
  • the information processing device 100 it is possible to generate the aggregate signature information on the basis of a safe prime and the hash value corresponding to each piece of document information of the plurality of acquired pieces of document information. Therefore, the information processing device 100 can reduce the processing time spent on generating the aggregate signature information.
  • the information processing device 100 it is possible to generate the aggregate signature information using the Schnorr signature algorithm. Therefore, the information processing device 100 can generate the aggregate signature information obtained by aggregating the signature information based on the Schnorr signature algorithm.
  • the information processing device 100 it is possible to output the generated aggregate signature information in association with the aggregate public key information and the plurality of acquired pieces of document information to the verifier for the plurality of acquired pieces of document information. Therefore, the information processing device 100 enables the verifier to verify the validity of the aggregate signature information and to confirm whether the plurality of pieces of document information has been falsified or not, and can improve the security.
  • the information processing device 100 it is possible to associate the document information, the public key information, and the signature information with each other, for each predetermined signer. Therefore, the information processing device 100 can easily generate the aggregate signature information and the aggregate public key information.
  • the information processing device 100 it is possible to receive aggregate signature information associated with a plurality of pieces of document information from a device that generates the aggregate signature information obtained by aggregating signature information corresponding to each piece of document information of the plurality of pieces of document information.
  • the information processing device 100 it is possible to receive aggregate public key information associated with a plurality of pieces of document information from a device that generates the aggregate public key information obtained by aggregating public key information corresponding to each piece of document information of the plurality of pieces of document information.
  • the signature control method described in the present embodiment may be implemented by executing a program prepared in advance, on a computer such as a PC or a workstation.
  • the signature control program described in the present embodiment is executed by being recorded on a computer-readable recording medium and being read from the recording medium by the computer.
  • the recording medium is a hard disk, a flexible disk, a compact disc (CD)-ROM, a magneto optical disc (MO), a digital versatile disc (DVD), or the like.
  • the signature control program described in the present embodiment may be distributed via a network such as the Internet.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
EP20943095.8A 2020-06-30 2020-06-30 Signatursteuerungsverfahren, signatursteuerungsprogramm und informationsverarbeitungsvorrichtung Pending EP4175217A4 (de)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2020/025724 WO2022003841A1 (ja) 2020-06-30 2020-06-30 署名制御方法、署名制御プログラム、および情報処理装置

Publications (2)

Publication Number Publication Date
EP4175217A1 true EP4175217A1 (de) 2023-05-03
EP4175217A4 EP4175217A4 (de) 2023-08-23

Family

ID=79315809

Family Applications (1)

Application Number Title Priority Date Filing Date
EP20943095.8A Pending EP4175217A4 (de) 2020-06-30 2020-06-30 Signatursteuerungsverfahren, signatursteuerungsprogramm und informationsverarbeitungsvorrichtung

Country Status (5)

Country Link
US (1) US20230075524A1 (de)
EP (1) EP4175217A4 (de)
JP (1) JP7355247B2 (de)
CN (1) CN115699674A (de)
WO (1) WO2022003841A1 (de)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023152797A1 (ja) * 2022-02-08 2023-08-17 富士通株式会社 検証方法、検証プログラムおよび情報処理装置

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6601172B1 (en) * 1997-12-31 2003-07-29 Philips Electronics North America Corp. Transmitting revisions with digital signatures
CN101453332A (zh) 2002-04-15 2009-06-10 株式会社Ntt都科摩 利用双线性映射的签名方案
US7664957B2 (en) * 2004-05-20 2010-02-16 Ntt Docomo, Inc. Digital signatures including identity-based aggregate signatures
EP2680046B1 (de) 2006-09-08 2015-01-21 Certicom Corp. Authentifizierte hochfrequenzidentifikation mit aggregierten signaturen und schlüsselverteilungssystem dafür
WO2008075420A1 (ja) 2006-12-20 2008-06-26 Fujitsu Limited 電子署名プログラム、電子署名装置、および電子署名方法
JP5183401B2 (ja) * 2008-09-29 2013-04-17 Kddi株式会社 アグリゲート署名生成システム、アグリゲート署名生成方法、およびアグリゲート署名生成プログラム
CN107968708B (zh) 2017-11-10 2020-01-17 财付通支付科技有限公司 生成签名的方法、装置、终端及服务器
CN109936442B (zh) * 2017-12-16 2022-08-23 河南师范大学 一种多密钥共享方法及其装置
JP2019212241A (ja) 2018-06-08 2019-12-12 豊 仲宗根 情報処理装置、情報処理方法、プログラム及び取引システム
US11184176B2 (en) * 2018-09-26 2021-11-23 Guardtime Sa System and method for generating data signatures over non-continuously bidirectional communication channels
US11290276B2 (en) * 2019-08-02 2022-03-29 EMC IP Holding Company LLC Method and system for a signed document validity service

Also Published As

Publication number Publication date
WO2022003841A1 (ja) 2022-01-06
US20230075524A1 (en) 2023-03-09
CN115699674A (zh) 2023-02-03
JPWO2022003841A1 (de) 2022-01-06
EP4175217A4 (de) 2023-08-23
JP7355247B2 (ja) 2023-10-03

Similar Documents

Publication Publication Date Title
CN110800253A (zh) 用于基于多数为数字文档产生密码时间戳的方法和设备
EP4175217A1 (de) Signatursteuerungsverfahren, signatursteuerungsprogramm und informationsverarbeitungsvorrichtung
CN112905536B (zh) 基于区块链的数据校验同步方法和装置
AU2021234387A1 (en) Block chain proof for identification
CN106951743A (zh) 一种软件代码侵权检测方法
CN115208628A (zh) 基于区块链的数据完整性验证方法
JPWO2022003841A5 (de)
CN114785710A (zh) 一种工业互联网标识解析二级节点服务能力的评估方法及系统
CN112600871A (zh) 一种联合办公用文件管理系统
CN116132071B (zh) 基于区块链的标识解析节点身份认证方法和装置
CN111274579B (zh) 一种基于计算机的企业文档加密防护系统
CN114615065A (zh) 一种基于大数据的计算机网络安全防御方法及系统
CN112434231A (zh) 一种数据处理方法、装置及电子设备
Barletta et al. Quantum-Based Automotive Threat Intelligence and Countermeasures
CN112465502A (zh) 一种离线部署数字时间戳的方法
CN114900378B (zh) 一种物联网设备漏洞数据的协作推荐方法及装置
EP4224351A1 (de) Verifizierungsverfahren, verifizierungsprogramm und informationsverarbeitungsvorrichtung
CN114244823B (zh) 一种基于Http请求自动变形的渗透测试方法及系统
CN113723913B (zh) 核电厂文件管理方法、装置、设备及存储介质
JP2024085849A (ja) 匿名化システムおよび匿名化方法
CN110059093A (zh) 基于两级双向哈希链表的电子数据存储方法和系统及设备
CN114676463B (zh) 文件篡改检测方法、装置、电子设备及存储介质
WO2024122044A1 (ja) 車両カルテ検証システム、車両カルテ検証方法、及び、プログラム
CN114422619B (zh) 业务识别方法、装置、设备及存储介质
CN115314515A (zh) 数据共享方法、装置、电子设备及计算机可读存储介质

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20221114

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Free format text: PREVIOUS MAIN CLASS: H04L0009320000

Ipc: H04L0009140000

A4 Supplementary search report drawn up and despatched

Effective date: 20230725

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 9/32 20060101ALI20230719BHEP

Ipc: H04L 9/14 20060101AFI20230719BHEP

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)